Hal, I have solved the issue for now, by changing the group of the live/and archive/ directories in /etc/letsencrypt to ntp,and giving the group read permissions.
root@ntpmon:/etc/letsencrypt# ls -l total 36 drwx------ 4 root root 4096 Oct 21 2018 accounts drwxr-x--- 3 root ntp 4096 Jan 17 2016 archive -rw-r--r-- 1 root root 121 Jan 10 2018 cli.ini drwxr-xr-x 2 root root 4096 May 9 09:39 csr drwx------ 2 root root 4096 May 9 09:39 keys drwxr-x--- 3 root ntp 4096 Jan 17 2016 live -rw-r--r-- 1 root root 924 May 9 09:39 options-ssl-apache.conf drwxr-xr-x 2 root root 4096 May 9 09:39 renewal drwxr-xr-x 5 root root 4096 Oct 21 2017 renewal-hooks We need to add this to the NTS Howto. Let me draft some language. -- Sanjeev Gupta +65 98551208 http://www.linkedin.com/in/ghane On Tue, Jun 9, 2020 at 12:23 PM Hal Murray <hmur...@megapathdsl.net> wrote: > > Which causes ntpd to fail on startup (I assume after dropping root): > > Looks like you are dying trying to read the certificate. It will get > worse > when you want to read the key. > > -------------- > > Do you trust user ntp? If so, the fix is to change ownership. I copy the > cert and key over to /etc/ntp/ and change to user ntp:ntp > > > If not, things get complicated. The current code will reload the > certificate > if it is updated. Are you willing to give that up? If so, we can add an > option to read the certificate before dropping root and disable trying to > reload. That probably won't work with early drop root. > > > -- > These are my opinions. I hate spam. > > > >
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
